Field
Embodiments of the systems and methods described herein are generally related to computer network security monitoring and defense.
Background
In recent years, malicious attacks on computer networks have increased dramatically in both number and sophistication. In an attempt to curb such attacks, administrators often use systems known as intrusion detection systems (IDSs). IDSs are used to automatically detect attacks on networks and alert administrators if any attacks are detected.
IDSs typically detect attacks by using a preprogrammed database of traffic pattern signatures. For example, if the IDS detects a particular type of network traffic that it has been preprogrammed to consider malicious, the IDS may determine that the network is being attacked and provide an alert or perform some other remedial action, such as stopping the traffic from the attack. But, whether or not an IDS can detect such an attack is limited by whether the IDS has the signature of the attack. Maintaining such a database of traffic pattern signatures can be difficult because attack signatures change often. Moreover, although the IDS may be able to detect attacks and determine the type of attack, the IDS cannot determine the objectives of an attack. Also, depending on the type of attack, detection may not occur until substantial damage has been inflicted.
IDSs are typically placed at entry and exit points of a network to examine the traffic at such points. But, because the traffic that flows through the entry and exit points can be substantial, IDSs often analyze only a subset of the traffic. Further, because IDSs only monitor traffic at entry and exit points of networks, if an attacker is able to penetrate a network without alerting the IDS, then the attacker can continue to explore and damage a network without any risk of detection.